• SweetBilliam@midwest.social
    link
    fedilink
    English
    arrow-up
    1
    arrow-down
    2
    ·
    10 months ago

    Another web developer here, that is how the California and European rules are interpreted. If we’re acting in good faith we do not store anything.

    Maybe you can find a way to argue user settings and session cookies don’t require consent, but I am not a lawyer and I err on the side that doesn’t put me out of business.

    • barsoap@lemm.ee
      link
      fedilink
      English
      arrow-up
      2
      ·
      edit-2
      10 months ago

      It’s not about “finding a way to argue”, but “follow the law”. Which means “analyse every data point and categorise it”. When you do that for remembering cookie settings, going down the three-part test, 1) The purpose of not annoying users is legitimate, 2) It is necessary to store a single boolean for that, 3) Balancing: As our previous analysis left us with a single boolean we simply note that that’s not personal data.

      This kind of stuff shouldn’t be done by lawyers but your data protection officer. Random lawyers will have all kinds of crazy opinions about the regulations because they don’t understand that area of law enough to interpret it. Heck your run off the mill US lawyers won’t even understand European legal theory enough to understand it. Data protection officers, however, are trained and certified to do exactly those calls.

      I don’t know about education in the US but back in the early 00s, when I was still polishing lecture hall chairs with my butt, data protection was part of the mandatory curriculum. Not an official certification, but like 80% of what you needed to know to pass a certification test, and about 500% of what you need as a developer, which is spotting when something should get looked at.

      As to putting you out of business: Even if my analysis was wrong (it isn’t), this isn’t “fine into bankruptcy” but “polite letter” territory. All those companies using dark patterns in cookie banners, OTOH, are risking serious action. It could even be argued that not remembering accept/reject settings is in itself a dark pattern, but again that would be “polite letter” territory.